Japanese cybersecurity officials have warned that the infamous North Korean hacking team Lazarus Group recently conducted a supply chain attack targeting the PyPI software repository for Python apps.
Threat actors uploaded tainted packages with names like “pycryptoenv” and “pycryptoconf”, similar in name to the legitimate “pycrypto” encryption toolkit for Python. Developers who are tricked into downloading the nefarious packages onto their Windows computers get infected with a dangerous Trojan known as Comebacker.
“The confirmed malicious Python packages this time were downloaded approximately 300 to 1,200 times,” Japan CERT said this in a notice issued late last month. “Attackers could target user typos to download malware.”
Dale Gardner, senior director and analyst at Gartner, describes Comebacker as a general-purpose Trojan used to release ransomware, steal credentials, and infiltrate the development pipeline.
Comebacker has been used in other North Korea-related cyberattacks, including a attack on an npm software development repository.
“The attack is a form of typosquatting – in this case, a dependency confusion attack. Developers are tricked into downloading packages containing malicious code,” says Gardner.
The latest attack on software repository it’s a guy that has seen a surge in the last year or so.
“These types of attacks are growing rapidly: the open source Sonatype 2023 report revealed that 245,000 such packets were discovered in 2023, which is double the number of packets discovered, combined, since 2019,” says Gardner.
Asian developers are “disproportionately” affected.
PyPI is a centralized service with a global reach, so developers around the world should be on alert for this latest campaign from Lazarus Group.
“This attack isn’t something that would only affect developers in Japan and nearby regions, Gardner points out. “It’s something that developers around the world should be on guard against.”
Other experts say non-native English speakers may be at greater risk from this latest attack by the Lazarus Group.
The attack “could disproportionately impact developers in Asia,” due to language barriers and less access to security information, says Taimur Ijlal, technology expert and cybersecurity leader at Netify.
“Development teams with limited resources may understandably have less bandwidth for rigorous code reviews and checks,” says Ijlal.
Jed Macosko, director of research at Academic Influence, says that app development communities in East Asia “tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms and linguistic commonalities.”
According to him, attackers may seek to take advantage of these regional connections and “trust relationships.”
Small software companies and start-ups in Asia typically have smaller security budgets than their counterparts in the West, notes Macosko. “This means weaker processes, tools and incident response capabilities, making infiltration and persistence more achievable goals for sophisticated threat actors.”
Cyber defense
Protecting application developers from these software supply chain attacks is “difficult and generally requires a variety of strategies and tactics,” says Gartner’s Gardner.
Developers should be more careful and careful when downloading open source dependencies. “Given the amount of open source used today and the pressures of fast-paced development environments, it’s easy for even a well-trained and alert developer to make a mistake,” warns Gardner.
This makes automated approaches to “open source management and control” an essential protective measure, he adds.
“Software Composition Analysis (SCA) tools can be used to evaluate dependencies and can help spot fake or legitimate packages that have been compromised,” Gardner advises, adding that “proactively test packages for the presence of malicious code” and validating packages using package managers can also mitigate the risk.
“We see some organizations setting up private registries,” he says. “These systems are supported by processes and tools that help vet open source to ensure it is legitimate” and does not contain vulnerabilities or other risks, she adds.
PiPI No stranger to danger
While developers can take steps to reduce exposure, the burden of preventing abuse falls on platform providers like PyPI, according to Kelly Indah, a technology expert and security analyst at Increditools. this isn’t the first time malicious packages were slid onto the platform.
“Developer teams in every region rely on the trust and security of key repositories,” says Indah.
“The Lazarus incident undermines that trust. But through increased vigilance and a coordinated response from developers, project leaders and platform providers, we can work together to restore integrity and trust.”